Merge branch 'security-60551-fix-upload-scope' into 'master'

Queries for Upload should be scoped by model See merge request gitlab/gitlabhq!3229
author: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-07-26 16:40:54 +0300
committer: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-07-26 16:40:54 +0300
commit: 461101c3b50ef2215a3be9a099bf2581473d7d2d (patch)
tree: 6714e2d17e2c45926a1355ca029f987b58f1de19 /spec/support/shared_examples/controllers
parent: 4b2d49b7285f7968e894c635321f878d77773bb8 (diff)
parent: dfe906209e2238b82c84c9fb435498cae2f3d43e (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/spec/support/shared_examples/controllers/uploads_actions_shared_examples.rb b/spec/support/shared_examples/controllers/uploads_actions_shared_examples.rb
index 59708173716..9036838e50a 100644
--- a/spec/support/shared_examples/controllers/uploads_actions_shared_examples.rb
+++ b/spec/support/shared_examples/controllers/uploads_actions_shared_examples.rb
@@ -74,6 +74,16 @@ shared_examples 'handle uploads' do
       UploadService.new(model, jpg, uploader_class).execute
     end
 
+    context 'when accessing a specific upload via different model' do
+      it 'responds with status 404' do
+        params.merge!(other_params)
+
+        show_upload
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
+
     context "when the model is public" do
       before do
         model.update_attribute(:visibility_level, Gitlab::VisibilityLevel::PUBLIC)
author	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-07-26 16:40:54 +0300
committer	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-07-26 16:40:54 +0300
commit	461101c3b50ef2215a3be9a099bf2581473d7d2d (patch)
tree	6714e2d17e2c45926a1355ca029f987b58f1de19 /spec/support/shared_examples/controllers
parent	4b2d49b7285f7968e894c635321f878d77773bb8 (diff)
parent	dfe906209e2238b82c84c9fb435498cae2f3d43e (diff)